The Canadian Privacy Law Blog: Developments in privacy law and writings of a Canadian privacy lawyer, containing information related to the Personal Information Protection and Electronic Documents Act (aka PIPEDA) and other Canadian and international laws.

Thursday, April 03, 2014

U.S. (correctly) identifies some Canadian privacy laws as trade barriers

The United States Trade Representative has released its latest Report on Foreign Trade Barriers [PDF] which specifically identifies certain Canadian provincial privacy laws as non-tariff trade barriers. It points to the public sector privacy laws in British Columbia and Nova Scotia and singles out Canadian federal government procurement of cloud services:

Cross-Border Data Flows

The strong growth of cross-border data flows resulting from widespread adoption of broadband-based services in Canada and the United States has refocused attention on the restrictive effects of privacy rules in two Canadian provinces, British Columbia, and Nova Scotia. These provinces mandate that personal information in the custody of a public body must be stored and accessed only in Canada unless one of a few limited exceptions applies. These laws prevent public bodies such as primary and secondary schools, universities, hospitals, government-owned utilities, and public agencies from using U.S. services when personal information could be accessed from or stored in the United States.

The Canadian federal government is consolidating information technology services across 63 email systems under a single platform. The request for proposals for this project includes a national security exemption which prohibits the contracted company from allowing data to go outside of Canada. This policy precludes some new technologies such as “cloud” computing providers from participating in the procurement process. The public sector represents approximately one-third of the Canadian economy, and is a major consumer of U.S. services. In today’s information-based economy, particularly where a broad range of services are moving to “cloud” based delivery where U.S. firms are market leaders; this law hinders U.S. exports of a wide array of products and services.

This has prompted Daniel Tencer to write in the Huffington Post that "U.S. Pushes Canada To Loosen Privacy Laws". These laws were designed to thwart the USA Patriot Act by requiring public bodies in those jurisdictions to only allow personal information to be stored in Canada and only accessed from within Canada.

As a practitioner of privacy law who has to deal with these statutes on a regular basis, I tend to agree and think the fine citizens of Nova Scotia and British Columbia would be better off without them. I have seen, on many occasions, government functionaries simply say "no" to non-Canadian vendors because of privacy risks they do not understand, denying their citizens access to leading-edge, cost saving technology. It is much simpler and easier to say "no"

The BC law came into being as a result of a public sector trade union objecting to the possible outsourcing of medicare claims processing to the Canadian subsidiary of a US corporation. When the union realized it would not get public support for their jobs, they might be able to create a spectre of the US government getting their mitts on sensitive information under the Patriot Act. The result was the BC legislation. (Ironically, the outsourcing still took place after a very convoluted corporate structure was put in place.)

Similarly, a back-bench NDP politician stood up in the legislature and raised the exact same spectre. A short while later, Nova Scotia passed the Personal Information International Disclosure Protection Act. While the Nova Scotia law is much more flexible than the B.C. statute, both are a ham-fisted response to a really nuanced issue. Instead of asking the question about the real risk to data, the default answer is always "no" when a non-Canadian vendor puts forward a cloud computing solution to a government agency.

If these laws were designed to prevent non-Canadian vendors from getting a piece of government business, they've done that quite well. But they do not actually accomplish the objective of keeping personal information out of the hands of U.S. authorities under all circumstances. To begin with, if the Americans want data that's in Canada, they are likely to get it. Canada, the United States and most western democracies engage in a very high level of cooperation that includes mutual legal assistance treaties and ad hoc information sharing. If US agencies are interested in an individual who has ties to Canada, the Federal Bureau of Investigation can make a formal request of the Royal Canadian Mounted Police or CSIS to obtain the relevant information on their behalf. (Most Canadian privacy laws actually permit this sort of information sharing under treaties or informal arrangements.) And if you are concerned about covert access to this sort of data, American laws do not prohibit federal agencies from infiltrating computers and networks outside of the United States. Some have suggested that information is safer from U.S. authorities in the U.S. because of this.

In addition, any person or corporation with sufficient ties to the United States can be compelled to hand over data regardless of where it is. This can include fully Canadian corporations with assets in the U.S. This can also take place if handing over the data would violate Canadian laws. The Huffington Post article refers to the Canadian federal government's decision to give a massive cloud "shared services" contract to Bell Canada when U.S. vendors were disqualified from even submitting a proposal. Does this make the data "safe" from the Americans? Not really, since the parent company of Bell Canada is publicly traded on the New York stock exchange. They simply can't ignore a U.S. court order.

So what's the solution to this "problem"? It would be the policy that the federal government purports to have, but does not seem to have followed in the shared services contracting. That is to do a full privacy impact assessment in all cases which fully evaluates all of the risks to privacy associated with the project, including what risks that cross-border data flows might introduce. And when I saw all the risks, I mean with a fully-informed understanding of the circumstances under which non-Canadian governments might get their hands on the data. In some cases, the risk introduced by crossing the border may be unpalatable, but at least it is an informed decision.

The current practice of simply saying no to non-Canadian vendors is a non-tariff trade barrier.

Please note that I am only able to provide legal advice to clients of my firm. If you have a privacy matter, please contact me about becoming a client. I am not able to provide free legal advice. Any unsolicited information sent to David Fraser may not be protected by solicitor-client privilege.

The views expressed herein are solely the author's and should not be attributed to his employer or clients. Any postings on legal issues are provided as a public service, and do not constitute solicitation or provision of legal advice. The author makes no claims, promises or guarantees about the accuracy, completeness, or adequacy of the information contained herein or linked to. Due to professional ethics, the author may not be able to comment on matters in which a client has an interest. Nothing herein should be used as a substitute for the advice of competent counsel.

This web site is presented for informational purposes only. These materials do not constitute legal advice and do not create a solicitor-client relationship between you and David T.S. Fraser. If you are seeking specific advice related to Canadian privacy law or PIPEDA, contact the author, David T.S. Fraser.